Recipients of Office 365 Encrypted Emails will sometimes receive HTML attachments having broken links or HTML scripts removed from the encrypted attachment thereby making them unable to access the encrypted emails.
This article describes a solution to this problem that is caused by the HTML Sanitizer or the Email Exploit Engine scrubbing the encrypted attachments for malicious tags. The procedure described is applicable to the various forms of email encryption such as Office 365 Encrypted (Secure) Messages or Cisco Secured Emails (Registered Envelope Service, also called SecureDoc).
Received encrypted emails have their links, images, or scripts removed even though the UI logs show the message was processed as [OK].
When the HTML Sanitizer module acts upon an email to remove malicious scripts and tags, the Dashboard logs would not show this information but the actions taken will always be logged in the debug logs. You can obtain more details on the removed scripts by examining the debug log file for the HTML Sanitizer located at
...\GFI\MailEssentials\EmailSecurity\DebugLogs\Html Script Removal.gfi_log.txt.
Before proceeding, it is advisable to confirm that the root cause is MailEssentials by temporarily disabling scanning emails as described here: Enabling or Disabling GFI MailEssentials Processing. If the issue persists with mail scanning disabled then the cause is unrelated to MailEssentials and troubleshooting should continue by checking other external components affecting the mail flow.
Encrypted emails are usually sent as an HTML attachment with a standard filename. In the case of Office 365 Encrypted Email, this attachment is called message.html.
The HTML Sanitizer engine can strip this attachment of certain scripts leaving broken links and the recipients unable to open the email.
Although the encrypted emails are from a trusted source, the method in which they are being sent legitimately registers as an email exploit.
The HTML Sanitizer allows for senders to be whitelisted to avoid HTML scrubbing or alternatively scanning inbound emails can be disabled for this engine.
Since there is no whitelisting functionality for the Email Exploit Engine, the workaround is to disable the specific rules that trigger emails with HTML attachments.
Follow the below steps to isolate the root cause and allow the HTML attachments for encrypted emails to pass through unchanged.
- Open the MailEssentials Configuration console
- Expand the EmailSecurity node, then click on the HTML Sanitizer to open its properties
- Select the Whitelist tab and make an entry for the address that is sending the encrypted emails.
- Expand the Email Exploit Engine node and click on Exploit List
- Check off Rule IDs 7 and 10, then hit the Disable Selected button.
- Click Apply to save the changes and send a test encrypted email to confirm the operation is successful.
The encrypted email should now bypass the HTML Sanitizer and the Email Exploit Engine and should be delivered without any changes to the HTML attachment.